Mythbusting time

Listed in order of importance.

NET-TOOLS. Avoid this unmaintained bugridden tool pile consisting of ifconfig, route and so on under all circumstances.
Use iproute (/sbin/ip et al) instead.

FORWARDING. The act of passing a packet on to another machine.
You cannot forward ports or connections. (They are immovable entities, and each system has its own set.) Operating systems forward single packets at a time.

ROUTING. Based on address/mark/TOS, decides whether packets are delivered locally, or whether they are forwarded. Forwarding and routes can be controlled with `ip route`. Don't forget `sysctl -w net.ipv6.conf.all.forwarding=1 net.ipv4.conf.all.forwarding=1` (there often are distro-level knobs for this).

NAT is not to be confused with routing and/or forwarding.
NAT modifies packets, it changes addresses and/or ports, and often breaks end-to-end connectivity.
If you want redirection without modification of the L3 portion, use the TEE target instead.
With nf_nat, a transformation applies to the whole (NFCT) connection, i.e. both directions.

nat TABLE. A configuration database of sorts. Consulted only when convenient — do not rely on a 1:1 packet:lookup ratio.

BLOCKING PORTS. Remember that Xtables actually does not “block ports”, but packets matching certain conditions.

VSERVER/VPS. (Container solutions like OpenVZ, LXC, nspawn.) Hosting providers often ship an incomplete Xtables (kernel part) setup that you cannot fix because you have no control over it.
Solution: get a dedicated environment where you can choose the kernel image. That can either mean a dedicated server, or something like an (expensive) Amazon EC2 (Xen-based) VM.


There are no “virtual” addresses. There are no “real” addresses, either. There are just addresses.

SEND TO DEVICE. You cannot send/forward “to (Ethernet) interfaces/devices”. Every (Ethernet) packet's destination is determined by a destination MAC address.

BIND TO DEVICE. bind(2) binds to addresses. It says so in the manual, and if an address is on multiple interfaces, it does the thing it is supposed to do: allow connections through those interfaces.

The 5-step to getting assistance

  1. State your intent
  2. State your way of accomplishing it (commands issued, etc.)
  3. State what you had expected
  4. State what you have observed instead
  5. Wait for an answer; don't leave in less than 5 minutes

Posting guidelines

Use the shown tools whenever possible. Others (like ifconfig) may give incomplete or misleading information — we all had that already. Posting link and route setup may also help us identify that you may have triangle setup that is not actually an iptables problem. (Providing the output of the following commands gives additional information and saves all of us time.)

ip addr
ip route show table all
sysctl -a | grep '^net\.'

Avoid address obfuscation. Quoting our honorable member twb, “as an example, if you changed your "cookie.local" to "", then I would not realize that you were running into the mDNS-vs.-AD problem”.

Also be patient after having posted the question/problem, especially since we are generally not paid to be your personal express support (but things can be arranged, of course ☺). Leaving the channel after 60 seconds after posting is not going to be useful either.

Now that we have discussed the netiquette, the interesting stuff:

Helpful Guides

For Developers